MOUNTAIN VIEW, Calif. — Universities and health care organizations have led the way in Wi-Fi
installations — and done the bleeding that takes place on the cutting edge. Now, U.S.
corporations are learning from these leaders and evaluating how wireless LANs (WLANs) can benefit their companies.
Corporate IT executives came to the Angelbeat Mobility, Security, VoIP
Executive Briefing on Monday to hear from vendors of wireless monitoring and security
applications hoping to get their business. In a series of quick presentations, the vendors hit
the high notes on what businesses need to consider.
While early WLANs were highly crackable, the 802.11b/g standards allowed
for enhanced security. But Wi-Fi networks remain vulnerable to attacks and compromises,
said Adrian Spiga, regional director for AirMagnet. He warned enterprises not to rely on their
infrastructure vendors for security and monitoring.
And though the 802.11i standard allows for authentication and encryption, David
Solomon, an executive with Bluesocket, said it won’t solve the problem. In any installation
beyond the basic Internet cafi model, he said, different types of users
need different types of authentication and network access.
The management software of Bluesocket, a provider of corporate Wi-Fi management applications,
allows for rules-based authentication and limited rules-based
access, Solomon said, so that, for example, doctors could quickly get on the network and into
applications, while guests on the campus could obtain Internet-only access via browser authentication.
According to Rick Allen, IT security manager for the non-profit health care institution
NorthBay HealthCare, wireless use among his personnel wasn’t always smooth.
“There was a lot of pain before the promise,” Allen said.
During its first phase, NorthBay moved from legacy Cisco access points to 25 “fat” access points,
100 clinical thin clients and mobile devices, including XP Embedded thin clients and tablet PCs.
The facility began with islands of personnel using wireless — getting access to applications,
file serving and printing.
But he discussed how the facility came to managing and monitoring its 802.11 network using
software from Airwave. The facility determined that the Airwave management software
indirectly assists with compliance with government regulations, such as
HIPAA, because the facilities can prove they limit and monitor access. For example, when a laptop was
stolen, administrators could quickly block its access to the WLAN.
Monitoring software also improved technical support, reduced tech support costs and free up
engineers for other tasks. But there were hidden costs, including the physical installation of the
devices and access points, and the site survey process. The cost savings allowed the department to
budget for WLAN enhancements.
The phased rollout will double use of Wi-Fi by the first quarter of 2005. Plans include providing secure
private hotspots for vendors who come into the hospital to do business and need connectivity.
Already, clinicians are using handheld devices to access patient
registration and scheduling information, order tests and view results, check bedside chart entries and review
after-care plans.
Wi-Fi Meets RFID
While enterprises have heard about the benefits of Wi-Fi on their campuses, they also may be feeling
pressure to explore radio frequency identification
require another hardware/software/connectivity infrastructure.
Most of this year’s focus on RFID has been on passive tags, which automatically emit a signal when
they come in range of a reader. These relatively inexpensive tags, costing around 50 cents, have a
range of only a few feet.
Active RFID tags can piggyback on Wi-Fi networks, said Joshua Slobin, an executive with AeroScout,
a provider of Wi-Fi-based RFID technology.
Slobin said active tags, with self-contained batteries and a range of several hundred feet, cost
less than $100. So they don’t make sense for the kinds of tagging that retailers like Wal-Mart and Target
have begun to implement.
Active RFID tags work for high-value goods, such as medical or factory equipment, he said. Despite
the cost, they have one big advantage for companies that already have installed Wi-Fi in their facilities:
They eliminate the need for a separate network and infrastructure for RFID.
“It’s basically an 802.11 radio inside this tag,” said Slobin.
Therefore, the enterprise doesn’t need to install readers or network the readers in order to get
information into corporate servers. Instead, the signal broadcast by the active tags can be triangulated
in order to locate the assets to which they’re attached.
Active tags also are useful for another kind of high-value asset: people.
AeroScout provides the RFID-enabled bracelets used at the Legoland Amusement Park. Parents can rent
the wristbands, and if they get separated from their child, they send an SMS message via phone and get
back the actual coordinates of the child.
Slobin said the tag rental raises park revenue, improves the
customer experience and reduces the amount of time park staff spends on locating lost children.
The park operator also gets valuable intelligence about how the park is used.
Learning to Love XP SP2
Rand Morimoto, president of Convergent Computing, dove into Microsoft’s intensive security
fix, XP Service Pack 2,
which has implications for both wired and wireless network communications.
Morimoto, who is a White House advisor on cyber security, acknowledged that SP2 breaks most third-party
applications. That’s because Windows Firewall is turned on and locked down by default in SP2, while the
past trend for writing applications was to allow two-way traffic.
To fix this problem, port access can be enabled for whole classes of application connectors, or it
can be done application by application.
“You don’t want to open up a whole program for access,” Morimoto said. Instead, he advised opening
just one port for the application. Newer versions of software applications will list the appropriate
ports to open in order for them to work through the firewall.
Morimoto said Service Pack 1 for Windows 2003 would ship in the first quarter of 2005.
The Internet connection firewall for SP1 is similar to that in XP SP2. SP1 includes a security
configuration wizard that supports lock-down of e-mail, SQL and other application server configurations.
It provides the ability to lock down servers, not only on the corporate network but also on a server-by-server
basis.
It allows administrators to create exceptions. For example, they can designate allowable inbound and
outbound traffic. IT can customize the firewall policies, save them as a file, and then apply them
across servers in the environment.
The service pack adds quarantine management, an API that prevents remote users from spreading
viruses via the VPN. “The minute you provide access, whatever is on that home computer comes in through
the VPN,” Morimoto said.
Instead, it allows remote users to temporarily login to a quarantine network where the machine is scanned
to make sure it has the latest protection software. If it doesn’t, it cleans the system before it allows
access. The API sits on the client computer, scanning the system, and then the quarantine system just checks
those scans. So there’s only about a three-second delay before login.
While Microsoft had planned to provide the scanning and repair software itself, Morimoto said, two
weeks ago it announced it would instead allow customers to employ third-party software to do this task.
Next-Generation Traffic Jams
The WLAN future isn’t all rosy. The use of SAP, VoIP and e-mail will all be competing for bandwidth with no clear winner, said Jeff Meyer of Packeteer Networks, maker of software that manages application traffic going over TCP/IP networks.
“Only 20 percent of organizations know what’s truly running on their networks,” he said, adding that mission-critical traffic can be squashed by such things as large files sent to multiple users or consumer file-sharing applications.
And, if the network is under attack, he said, the wireless network is the first to go down.